Additional docs about security vulnerabilities with XStream.
This commit is contained in:
parent
b6c54c3637
commit
4da7e304b8
|
@ -75,8 +75,15 @@ import org.springframework.util.xml.StaxUtils;
|
||||||
/**
|
/**
|
||||||
* Implementation of the {@code Marshaller} interface for XStream.
|
* Implementation of the {@code Marshaller} interface for XStream.
|
||||||
*
|
*
|
||||||
* <p>By default, XStream does not require any further configuration,
|
* <p>By default, XStream does not require any further configuration and can (un)marshal
|
||||||
* though class aliases can be used to have more control over the behavior of XStream.
|
* any class on the classpath. As such, it is <b>not recommended to use the
|
||||||
|
* {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web), as
|
||||||
|
* this can result in <b>security vulnerabilities</b>. If you do use the
|
||||||
|
* {@code XStreamMarshaller} to unmarshal external XML, set the
|
||||||
|
* {@link #setConverters(ConverterMatcher[]) converters} and
|
||||||
|
* {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
|
||||||
|
* {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
|
||||||
|
* you want it to support.
|
||||||
*
|
*
|
||||||
* <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
|
* <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
|
||||||
* It defaults to {@code UTF-8}.
|
* It defaults to {@code UTF-8}.
|
||||||
|
|
|
@ -755,7 +755,11 @@ public class Application {
|
||||||
<para>
|
<para>
|
||||||
By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
|
By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
|
||||||
vulnerabilities.
|
vulnerabilities.
|
||||||
As such, it is recommended to set the <property>supportedClasses</property> property on the
|
As such, it is <emphasis>not recommended to use the <classname>XStreamMarshaller</classname> to
|
||||||
|
unmarshal XML from external sources</emphasis> (i.e. the Web), as this can result in
|
||||||
|
<emphasis>security vulnerabilities</emphasis>.
|
||||||
|
If you do use the <classname>XStreamMarshaller</classname> to unmarshal XML from an external source,
|
||||||
|
set the <property>supportedClasses</property> property on the
|
||||||
<classname>XStreamMarshaller</classname>, like so:
|
<classname>XStreamMarshaller</classname>, like so:
|
||||||
<programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
|
<programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
|
||||||
<property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
|
<property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
|
||||||
|
|
Loading…
Reference in New Issue